Mirrors/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2024-11-09 20:52:56 +01:00
Code Issues Releases Activity

Fixes for authorization in bulk action routes

Browse Source
This commit is contained in:
David Bomba 2023-10-30 16:26:43 +11:00
parent ca967876c2
commit 4f5d5ef189
2 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/Http/Controllers/InvoiceController.php
View File

@ -487,13 +487,19 @@ class InvoiceController extends BaseController
$user = auth()->user();
$action = $request->input('action');
$ids = $request->input('ids');
if (Ninja::isHosted() && (stripos($action, 'email') !== false) && !$user->company()->account->account_sms_verified) {
return response(['message' => 'Please verify your account to send emails.'], 400);
}
/**@var \App\Models\User $user */
$user = auth()->user();
if(in_array($request->action, ['auto_bill','mark_paid']) && $user->cannot('create', \App\Models\Payment::class)) {
return response(['message' => ctrans('texts.not_authorized'), 'errors' => ['ids' => [ctrans('texts.not_authorized')]]], 422);
}
$invoices = Invoice::withTrashed()->whereIn('id', $this->transformKeys($ids))->company()->get();
if (! $invoices) {
@ -651,9 +657,6 @@ class InvoiceController extends BaseController
/*If we are using bulk actions, we don't want to return anything */
switch ($action) {
case 'auto_bill':
if($user->cannot('create', Payment::class)) {
return $this->errorResponse(['message' => ctrans('texts.action_unavailable', ['action' => $action])], 400);
}
AutoBill::dispatch($invoice->id, $invoice->company->db);
return $this->itemResponse($invoice);
@ -677,9 +680,6 @@ class InvoiceController extends BaseController
// code...
break;
case 'mark_paid':
if($user->cannot('create', \App\Models\Payment::class))
return $this->errorResponse(['message' => ctrans('texts.action_unavailable', ['action' => $action])], 400);
if ($invoice->status_id == Invoice::STATUS_PAID || $invoice->is_deleted === true) {
return $this->errorResponse(['message' => ctrans('texts.invoice_cannot_be_marked_paid')], 400);
}

1
app/Http/Requests/Invoice/BulkInvoiceRequest.php
View File

@ -12,6 +12,7 @@
namespace App\Http\Requests\Invoice;
use App\Http\Requests\Request;
use App\Models\Payment;
class BulkInvoiceRequest extends Request
{